Congress is considering a number of bills that would give agencies more power to withhold certain information under the Freedom of Information Act. During Open Government Week, Congress is zeroing in on one in particular: A proposed FOIA exemption for critical infrastructure threats in the Lieberman-Collins cybersecurity bill.
Open government advocates and some members of Congress are wary of giving agencies additional avenues to skirt FOIA requests — something they say many agencies already do too often.
“I worry that since Sept. 11, there’s been a broad overuse of the secrecy stamp,” said Sen. Patrick Leahy (D-Vt.), chairman of the Judiciary Committee. “It’s too easy to say ‘this is secret.’ Sometimes ‘secret’ is another way of saying we screwed something up.” Leahy’s committee held a hearing Tuesday to focus on one potential upcoming FOIA exemption. Under the proposed Lieberman-Collins cybersecurity bill, information that private sector entities supply to the government about threats to critical infrastructure would be shielded from release under the Freedom of Information Act, even when that information is held by a government agency. The provision is designed to promote information sharing between government and critical infrastructure operators.
But government sunshine advocates warn Congress needs to be careful not to turn those information sharing incentives into giant FOIA loopholes.
“The worst thing would be a sweeping exemption that’s too broad, too loosely defined, where an agency can make it mean whatever it wants to,” said Kenneth Bunting, the director of the National Freedom of Information Coalition. “The key thing as you address these very real issues is to write a definition that’s narrow enough that it makes sure the public interest in disclosure is considered, and that you review it periodically going forward.”
Real concerns about possible loopholes
Other witnesses testified that agency abuses of FOIA loopholes aren’t just a theoretical matter.
Jerry Ensminger, a retired Marine Corps master sergeant, said he believes his then-6-year-old daughter contracted leukemia from groundwater contaminated with carcinogens while his family was living on Camp Lejuene, N.C., in 1983.
Janey Ensminger died 2-1/2 years later. Her father wouldn’t hear reports about the contaminated water until 1997.
“That was the beginning of my journey in search of answers,” he said in emotional testimony before the committee. “Little did I realize how difficult it would be to get the truth from an organization which supposedly prides itself on honor and integrity.”
Now, Ensminger said, the Navy Department is trying to withhold data about the groundwater contamination by classifying it as “critical infrastructure information,” which is exempt from FOIA.
But the exercise of that FOIA exemption may get harder for DoD, at least if a newly enacted law is implemented as intended. The amendment to this year’s Defense authorization bill, offered by Leahy, tightens the definition of critical infrastructure information and requires DoD to use a balancing test to decide whether it’s permitted to deny a FOIA request.
“It requires government officials to affirmatively determine that withholding critical infrastructure information from the public outweighs other interests, such as ensuring that we have information on health and safety,” Leahy said. “Truly sensitive things can be withheld. But not as a knee-jerk reaction.”
But backers of FOIA protections for cybersecurity information say lawmakers need to consider one important fact: Cyber threats are fundamentally different from contaminated groundwater.
“The cyber threat is real, and likely quite enduring,” said Paul Rosenzweig, a George Washington University law professor who also advises private sector infrastructure operators on cybersecurity law. “Virtually everyone who has examined the issue in the private sector has concluded that the cheapest way to get a running start against that threat is through enhanced information sharing of cyber threat and vulnerability information, both between and amongst the private sector itself, and to the government.”
Protecting confidential data
Rosenzweig said that threat information is something the government needs, and it’s not something private companies are going to hand over if they know their confidential data is going to be subject to release under FOIA.
He said making the information available to the public runs counter to the whole purpose of the Freedom of Information Act.
“The purpose behind FOIA is the transparency of government functions,” he said. “It’s about getting information from the government about the government and its functions. Here, the exemption contemplated is in relation to a sharing of information that wouldn’t otherwise come into the government’s possession in the first place. If we seek the voluntary sharing of information in order to foster the creation of a clear and manifest public good, then the voluntary agreement of private sector actors to provide that information will be contingent on the government’s agreement not to subject them to adverse consequences.”
The adverse consequences include publishing the cyber threats those infrastructure operators do and don’t know about, and potentially exposing confidential business information to competitors.
Meanwhile, the Obama administration is asking Congress to expand — or depending one’s perspective, restore — some of the exemptions to FOIA. That follows a Supreme Court decision last year in Milner v. Department of the Navy, which severely restricted the government’s ability to deny FOIA requests under “exemption 2” of the act.
“There’s a wide range of sensitive material whose disclosure could cause harm, whose disclosure had previously had been protected, and which is now at risk,” said Melanie Pustay, the Justice Department’s director of information policy.
She said it’s a problem Congress needs to fix by restoring agencies’ ability to withhold that information. Nonetheless though, she said President Obama’s default position still is to release information unless there’s a compelling reason not to, and to maintain a presumption of openness.
Sen. Chuck Grassley (R-Iowa), the ranking member on the Judiciary Committee, has his doubts about how that’s worked out.
“He’s put in place some statements and policies for more transparency and more openness,” Grassley said. “I find it difficult to measure that against what’s actually materialized. I think he meant it, but it seems like the people below him aren’t carrying out his policies. … It’s very, very difficult to get information, not just under FOIA, but for members of Congress. It’s just a culture in the executive branch that’s difficult to overcome.”